Microsoft criticized for botnet takedown tactics

Antone Gonsalves |
June 14, 2013

Security pros are said to be against any vendor modifying a person's computer without permission, even if the intention is good

While supporting Microsoft's operation in general, Chester Wisniewski, a senior security adviser for Sophos, said some security pros are against any vendor modifying a person's computer without permission, even if the intention is good. "For some of the more hardcore security research people, that's a very dangerous precedent to set," he said.

Boscovich argued that Microsoft did not change victims' computers, but rather brought them back to the state they were in before the infection. In addition, the federal court order that permitted Microsoft and the Federal Bureau of Investigation to disrupt the botnet also allowed the company to distribute configuration files to any infected computer checking into the "U.S.-based command and control structure for Citadel under the court's jurisdiction."

"For command-and-control infrastructure in other countries, we have relied on the voluntary assistance of CERTs in each country to determine the appropriate approach, pursuant to local law and considerations," Boscovich said.

Rather than flashy botnet takedowns, some researchers believe stronger laws; tougher enforcement and designing security within the application, network and operating system layers of a computer would be more effective.

Microsoft's strategy of seizing domain names to disrupt botnets can lead to cybercriminals taking more damaging action, according to the abuse.ch researcher. For example, in 2011 when researchers were aggressively shutting down the command-and-control domains of the ZeuS-Licat, also known as the Muorfet, botnet, the operators switched to a peer-to-peer architecture to distribute commands to infected systems.

Such an architecture made the botnet traffic harder to detect on the networks of Internet service providers and even harder to block, the blog said.

While experts agree that Microsoft damaged the Citadel botnet, they also say the operators will be back. "This is a big blow to the criminals, but it certainly isn't going to put them out of business," Wisniewski said.